* Using sets for protocols ?
@ 2017-08-08 21:15 J Doe
2017-08-09 0:11 ` Eric Leblond
0 siblings, 1 reply; 3+ messages in thread
From: J Doe @ 2017-08-08 21:15 UTC (permalink / raw)
To: netfilter
Hi,
I am currently experimenting with nftables syntax and was wondering if there was a way to specify that a rule applies to *BOTH* TCP and UDP.
For instance, allowing DNS resolution:
add rule filter input tcp sport domain ct state established,related accept
add rule filter output tcp dport domain ct state new,established,related accept
add rule filter input udp sport domain ct state established,related accept
add rule filter output udp dport domain ct state new,established,related accept
...requires four rules the way I have written it.
Is there a way to decrease this by specifying the rules apply to both TCP and UDP ?
I tried using a set:
add rule filter input { tcp, udp } sport domain ct state established,related accept
add rule filter output { tcp, udp } dport domain ct state new,established,related accept
...but the nft parser rejects this syntax.
I also tried leaving the protocol out to see if it would default to both:
add rule filter input sport domain ct state established,related accept
add rule filter output dport domain ct state new,established,related accept
...but the nft parser rejects this syntax as well.
Is there another way of writing this ?
Thanks,
- J
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Using sets for protocols ?
2017-08-08 21:15 Using sets for protocols ? J Doe
@ 2017-08-09 0:11 ` Eric Leblond
2017-08-13 1:01 ` J Doe
0 siblings, 1 reply; 3+ messages in thread
From: Eric Leblond @ 2017-08-09 0:11 UTC (permalink / raw)
To: J Doe, netfilter
Hi,
On Tue, 2017-08-08 at 17:15 -0400, J Doe wrote:
> Hi,
>
> I am currently experimenting with nftables syntax and was wondering
> if there was a way to specify that a rule applies to *BOTH* TCP and
> UDP.
>
> For instance, allowing DNS resolution:
>
> add rule filter input tcp sport domain ct state established,related
> accept
> add rule filter output tcp dport domain ct state
> new,established,related accept
> add rule filter input udp sport domain ct state established,related
> accept
> add rule filter output udp dport domain ct state
> new,established,related acceptÂ
>
> ...requires four rules the way I have written it.
Well, there is a series of mistakes here. First, usual way to write the
rules is to have one rule for established packets (that can also
include related)
add rule filter input ct state established accept
add rule filter output ct state established accept
This rule will take care of all replies and other packets. The only
thing you have to do after that is to accept packet that open a
exchange.
As you want to allow dns resolution, you need to open dns trafic:
add rule filter output ct state new udp dport domain accept
Client don't use TCP often but you will indeed need a extra rule if
ever ou want to:
add rule filter output ct state new tcp dport domain accept
> Is there a way to decrease this by specifying the rules apply to both
> TCP and UDP ?
>
> I tried using a set:
>
> add rule filter input { tcp, udp } sport domain ct state
> established,related accept
> add rule filter output { tcp, udp } dport domain ct state
> new,established,related accept
>
> ...but the nft parser rejects this syntax.
Yes, it won't work because the expression 'tcp dport domain' is
translated as 'check tcp + at tcp offset get port and check it against
53'
++
--
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Using sets for protocols ?
2017-08-09 0:11 ` Eric Leblond
@ 2017-08-13 1:01 ` J Doe
0 siblings, 0 replies; 3+ messages in thread
From: J Doe @ 2017-08-13 1:01 UTC (permalink / raw)
To: Eric Leblond; +Cc: netfilter
Hi Eric and Noel,
> On Aug 8, 2017, at 8:11 PM, Eric Leblond <eric@regit.org> wrote:
>
> Well, there is a series of mistakes here. First, usual way to write the
> rules is to have one rule for established packets (that can also
> include related)
>
> add rule filter input ct state established accept
> add rule filter output ct state established accept
>
> This rule will take care of all replies and other packets. The only
> thing you have to do after that is to accept packet that open a
> exchange.
>
> As you want to allow dns resolution, you need to open dns trafic:
>
> add rule filter output ct state new udp dport domain accept
>
> Client don't use TCP often but you will indeed need a extra rule if
> ever ou want to:
>
> add rule filter output ct state new tcp dport domain accept
Ok, thanks for the correction regarding style.
Out of curiosity - was the original syntax I specified logically incorrect (in the sense that there would be errors in my firewall ruleset), as well as being poor style ?
I want to follow the convention, I'm just wondering if the way I am forming rules can lead to errors as well.
Thanks,
- J
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-08-13 1:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-08 21:15 Using sets for protocols ? J Doe
2017-08-09 0:11 ` Eric Leblond
2017-08-13 1:01 ` J Doe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.